[RESTRICT AUTOMERGE] CTS test for Android Security b/32096880
Bug: 32096880
Bug: 72461317
Test: Ran the new testcase on android-8.1.0_r1 with and without patch
Change-Id: I68d9aaef9afe4924b528ccf5956e7f0199760da3
(cherry picked from commit 34d681e292eb9d5f220cbc67ed2544ef796a8540)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.mk
new file mode 100644
index 0000000..89294e6
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2016-2182
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES := external/boringssl/include
+LOCAL_SHARED_LIBRARIES := libcrypto
+LOCAL_SHARED_LIBRARIES += libssl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
new file mode 100644
index 0000000..fcd9258
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
@@ -0,0 +1,134 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <memory>
+
+/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */
+/** must be updated if kBN2DecTests is changed. */
+#define MALLOC_SIZE_32BITS 11
+#define MALLOC_SIZE_64BITS 6
+static const int sMallocSkipCount32[] = {1,0};
+static const int sMallocSkipCount64[] = {0,0};
+static const char *kTest =
+ "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890";
+static int sCount = 0;
+static bool sOverloadMalloc = false;
+int loopIndex = 0;
+
+template<typename T>
+struct OpenSSLFree {
+ void operator()(T *buf) {
+ OPENSSL_free(buf);
+ }
+};
+
+using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>;
+namespace crypto {
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+ void operator()(T *obj) {
+ func(obj);
+ }
+};
+
+template<typename Type, void (*Destroyer)(Type*)>
+struct OpenSSLDestroyer {
+ void operator()(Type* ptr) const {
+ Destroyer(ptr);
+ }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>;
+template<typename PointerType, void (*Destroyer)(PointerType*)>
+using ScopedOpenSSL =
+std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>;
+
+struct OpenSSLFree {
+ void operator()(uint8_t* ptr) const {
+ OPENSSL_free(ptr);
+ }
+};
+
+using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+} // namespace crypto
+
+static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = nullptr;
+ int ret = BN_dec2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+void* (*realMalloc)(size_t) = nullptr;
+void mtraceInit(void) {
+ realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");
+ return;
+}
+
+void *malloc(size_t size) {
+ if (realMalloc == nullptr) {
+ mtraceInit();
+ }
+ if (!sOverloadMalloc) {
+ return realMalloc(size);
+ }
+ int mallocSize = MALLOC_SIZE_32BITS;
+ int mallocSkipCount = sMallocSkipCount32[loopIndex];
+ if (sizeof(BN_ULONG) == 8) {
+ mallocSize = MALLOC_SIZE_64BITS;
+ mallocSkipCount = sMallocSkipCount64[loopIndex];
+ }
+ if (size == (sizeof(BN_ULONG) * mallocSize)) {
+ if (sCount >= mallocSkipCount) {
+ return nullptr;
+ }
+ ++sCount;
+ }
+ return realMalloc(size);
+}
+
+using namespace crypto;
+int main() {
+ CRYPTO_library_init();
+ ScopedBN_CTX ctx(BN_CTX_new());
+ if (!ctx) {
+ return EXIT_FAILURE;
+ }
+ for(loopIndex = 0; loopIndex < 2; ++loopIndex) {
+ ScopedBIGNUM bn;
+ int ret = DecimalToBIGNUM(&bn, kTest);
+ if (!ret) {
+ return EXIT_FAILURE;
+ }
+ sOverloadMalloc = true;
+ ScopedOpenSSLString dec(BN_bn2dec(bn.get()));
+ sOverloadMalloc = false;
+ if (!dec) {
+ return EXIT_FAILURE;
+ }
+ if (strcmp(dec.get(), kTest)) {
+ return EXIT_FAILURE;
+ }
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
new file mode 100644
index 0000000..7ad29f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_2182 extends SecurityTestCase {
+
+ /**
+ * b/32096880
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-03")
+ @Test
+ public void testPocCVE_2016_2182() throws Exception {
+ String binaryName = "CVE-2016-2182";
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
